動態SQL級聯

Question

存在問題並置以下語句。

基本上我想要長度列添加英寸後，但它不會運行。我將在未來創建一個功能，但無法超越這一步。是什麼賦予了？

declare @column varchar(255) 
declare @sql varchar(5000) 
declare @additional varchar(500) 

set @column = 'length' 

set @additional = 'inches' 

select @sql = 'select distinct ps.p_c_id, ' 

select @sql = @sql + @column + ' '+@additional+ ' ' + ' as value' 

select @sql = @sql 

select @sql = @sql + ' from dbo.Product ps 
inner join dbo.ProductAttributes psa on psa.p_s_id = ps.p_s_id 
where ps.p_c_id is not null and ' + @column + ' is not null' 


exec (@sql) 

Answer 1

你是串聯，什麼我假設是整數或浮點數值的字符串「英寸」 ...不得不投「長度」的值作爲VARCHAR ... 只需選擇您的@ sql下次看到結果的語法，它應該跳出你。這裏是應該工作的變化 順便說一句...看着執行EXEC sp_executesql ...使動態sql更不容易通過使用參數注入...查找書籍在線 抱歉...吃Crow ... sp_executesql不保護注射只是提高了一般性能...查看文章MSDN SQL Injection

declare @column varchar(255) 
declare @sql varchar(5000) 
declare @additional varchar(500) 

set @column = 'psa.length' 

set @additional = 'inches' 

select @sql = 'select distinct ps.p_c_id, ' 

select @sql = @sql + 'CAST(' + @column + ' AS varchar(10)) + ' + ''' '+@additional+ ''' ' + ' as value' 

select @sql = @sql 

select @sql = @sql + ' from dbo.Product ps 
inner join dbo.ProductAttributes psa on psa.p_s_id = ps.p_s_id 
where ps.p_c_id is not null and ' + @column + ' is not null' 

--select @sql AS [ExecutableSQL] 
exec(@sql) 

Answer 2

您的輸出是;

select distinct ps.p_c_id, length inches as value from dbo.Product ps 
inner join dbo.ProductAttributes psa on psa.p_s_id = ps.p_s_id 
where ps.p_c_id is not null and length is not null 

所以它看起來像一個丟失length inches之間,假設你想兩者;

select @sql = @sql + @column + ','+ @additional+ ' ' + ' as value'